Hi! In our application we want to use JAAS to authenticate and authorise users and their access to defined functions. Therefore I have activated OSGi Security and added the correct AllPermission-Policy and the Equinox FrameworkSecurityManager while starting the application.
Performing "normal" checkPermission-Operations all security evaluations are executed as expected. You can use the specific bundle permissions and the call stack is considered in the right way. However, using a Subject.doAsPrivileged call to perform operations as a specific user, the ProtectionDomains of the bundles are not considered and the user has always AllPermission. Googling for this behaviour I found a bug report in the Felix bug database https://issues.apache.org/jira/browse/FELIX-654 describing this problem. Using Equinox, can this happen the same way? And is there a proper workaround for this problem or is it not possible to use Subject.doAsPrivileged at the moment? Thanks for your help Florian Pepping By the way, here are the AccessControlContexts before the Subject.doAsPrivileged and within the Subject.doAsPrivileged call: Before the Subject.doAsPrivileged call: ProtectionDomain (file:/D:/Sandboxes/DS/src/com.test/classes/ <no signer certificates>) null <no principals> org.eclipse.osgi.framework.internal.core.bundlecombinedpermissi...@5d72e2 ( --> here I have a BundleCombinedPermission ) With the Subject.doAsPrivileged call: ProtectionDomain (file:/D:/Sandboxes/DS/src/com.test/classes/ <no signer certificates>) null <no principals> java.security.permissi...@39d3d3 ( --> here I have a "normal" PermissionCollection for this CodeBase (java.security.AllPermission <all permissions> <all actions>) ) -- WINCOR NIXDORF International GmbH Sitz der Gesellschaft: Paderborn Registergericht Paderborn HRB 3507 Geschäftsführer: Eckard Heidloff (Vorsitzender), Stefan Auerbach, Dr. Jürgen Wunram Vorsitzender des Aufsichtsrats: Karl-Heinz Stiller Steuernummer: 339/5884/0020 - Ust-ID Nr.: DE812927716 - WEEE-Reg.-Nr. DE44477193 Diese E-Mail enthält vertrauliche Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. This e-mail may contain confidential information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
_______________________________________________ equinox-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/equinox-dev
